Sherman's Security Blog
I am Sherman Hand. (also known as Policysup) I have created this blog and will use a part of my day to write about what is going on in the world. I hope to discuss things in a down to earth and practical way. I hope to hear back from you on your thoughts. I do not in any way intend to speak for my employer. The content of this blog will be either opinions that are strictly mine, general observations,re posts, or information that is already in the public domain.

Passwords — especially weak ones or those used across multiple systems — can create all kinds of vulnerabilities and security headaches for people and businesses. That’s why Google is now testing an alternative way for users to log into its services.

The test was brought to light yesterday when reddit user rp1226 posted documents and screenshots from Google’s experiment on the Android subreddit.

The system being tested works like this: After entering an e-mail address on Google’s login page on a computer, a user’s phone is sent a notification asking if he is trying to log in. Upon answering, “Yes,” the user is then prompted to indicate by phone which number is displayed on the computer sign-in page; choosing the right number automatically logs the person in.

Growing Use of 2FA

Google’s experimental login system works much like the Account Key method launched by Yahoo in October. Available on iOS or Android devices, the Account Key login option for mobile Mail app is “more secure than a traditional password,” according to Yahoo.

Many tech companies are looking for alternatives to old-school passwords that can be easily guessed, stolen or hacked. Another strategy being used to improve security is two-factor authentication (2FA), which requires users signing in by computer to verify their identities via second devices, usually smartphones.

For example, Amazon last month introduced a two-step verification process in private beta. Viewed as a way to add an extra layer of security for users, two-factor authentication has also been available for some time for users of Google Gmail and Microsoft Outlook, among others. Google did not respond to our request for more information about its password-free login test.

Password Pain on Help Desks

While many in the tech community have been predicting — and agitating for — an end to traditional passwords (Microsoft CEO Bill Gates made such a forecast at the RSA Security conference way back in 2004), passwords are still widely used. In fact, a report by TechNavio in June indicated that the global market for password management was likely to grow by 16.33 percent through 2019.

At the same time, momentum is growing for password-free alternatives. Last week, for instance, the adaptive authentication company SecureAuth released the results of a survey that found 66 percent of cybersecurity professionals were exploring password alternatives.

A full 91 percent of those surveyed agreed that “the traditional password will not exist in ten years,” SecureAuth said. Passwords also create a drain on help desks, with more than a third of respondents noting that employees regularly ask for help with forgotten passwords.

“This survey very clearly indicates there is an appetite for multi-factor authentication solutions beyond the traditional password,” said SecureAuth CEO Craig Lund in a statement.

Another survey by Ping Identity this month found that users are often careless about the security of their passwords.

“Employees are doing some things really well to keep data secure, like creating unique and difficult-to-guess passwords, but are then reusing passwords across personal and work accounts or sharing them with family or colleagues,” said Ping Identity CEO Andre Durand. “No matter how good employees’ intentions are, this behavior poses a real security threat.”